“Remember me” doesn’t, very much #13327
Comments
|
Also, “Remember Me” should be checked by default. It’s what almost everyone wants. (Increasingly, services are even omitting the checkbox altogether and not offering expire-at-end-of-browser-session cookies.) |
|
You can customize the amount of time the session is kept alive by setting the |
|
Is login_cookie_expire = 2592000 going to keep it alive for up to thirty days from login time, or from session-last-used time? I expect “remember me” on a site to keep a session that I continue to use alive indefinitely. A session that I don’t use for a while, I’ll grudgingly allow it to expire. I suggest that the defaults should be increased, and Remember Me checked by default. |
|
From the login time. |
|
Ever since upgrading to 3.6.0 Matomo keeps forgetting me on a daily basis, both on phone and PC. I see there were changes related to sessions / login, so this might be the cause of the issue. |
|
@dev-101 Forgetting you after a day, after you close and re-open your browser or randomly while using the same browser? |
|
Believe it or not, it happens sometimes during same browser session. I am still puzzled why. |
|
@dev-101 Odd, the new session code will log you out if there is a change in user agent, but of course won't happen w/ the same browser (only if someone steals your session cookie and tries to use it in another browser). It's possible your server is deleting the session through session GC, but I can't see why it would happen otherwise. (Note: Matomo will use |
|
On the same setup I run WordPress and no issues. I do use UA extension, but it is disabled by default, I'll verify later. |
|
AFAIK wordpress doesn't use a real session, it uses cookies. (Though I'm no wordpress expert, so...) |
|
I would say we can likely also remove the user agent comparison as it doesn't provide too much value in terms of security. Browsers are now updated to the latest version regularly and it doesn't take too much effort to "guess" the browser version. Also if an attacker gets the session id through XSS an attacker can easily get the user agent too. If the session id is stolen through HTTP sniffing, then the user agent will be available too (not through HTTPS though). It does provide little additional security, but not too much. |
|
Everything was fine in 3.5.1 Does Matomo have debug mode? |
|
In 3.5.1 a cookie was used, but this was deemed insecure. You can enable debug logging (see https://matomo.org/faq/troubleshooting/faq_115/), but I don't think that will give you any new information in this case. If you are being booted out at regular intervals (eg, say you find it's always 1 hour after you login that you're booted out), then it's probably |
|
There are dozens of session files in piwik session dir, I doubt I'm being logged out because they are missing. Something else is going on here in my opinion. Does frequent IP change now can cause this? I'm on move, plus I'm behind NAT at home. That's my suspect no.1 |
|
There was originally an IP check in the PR that moved to real sessions, but this was moved specifically to avoid this problem. |
|
"moved" as in removed? |
|
Yes, "removed", mistyped. Sorry for the confusion. |
|
I'll reinstall 360 from scratch and see if that'll help fix weird stuff going on since the update. |
|
Another fun fact: toggling back-and-forth Android Chrome browser's switch "request desktop site" logs you out immediately and requests another login. Now, security on a side, how big companies like Google handle log-in procedure? I am virtually never logged-out. Yet, I doubt they have insecure login. |
|
The request desktop site log out is likely due to the user agent check (which I'll remove). The other random log outs you're experiencing are due to something else. Pretty sure google uses server backed sessions, but these sessions are not on your server, so of course whatever issue is affecting you would not affect your google sessions. Perhaps you can record the session ID before & after you randomly get logged out, and see if the files for those sessions still exist (as well as see what's in them)? Might be a long shot but you can also try applying this PR: #13391 . Would only affect you if something on your Matomo is regularly changing your user info. |
|
Does Matomo still uses the same logic (cookie) for "ignore visits" functionality? (i don't really closely follow Matomo development, sorry). I have coded a simple plugin to keep my ignore cookie auto set every time I login into Piwik/Matomo: Could it be now cause of this trouble? |
|
Yes, the cookie based "ignore visits" functionality shouldn't have changed. No that plugin shouldn't be causing this... Are you using any other plugins? You could try deactivating them and seeing if it has an effect. I would also apply #13391 just in case. |
|
No, all other plugins are part of the Core, some of them are not active by default (Device Detector comes to mind, maybe that has changed and it's active now by default), so that's it ( (still planning re-installation mentioned above, but if I can avoid it, it will be great) |
|
I'm not sure re-installing would help here, I would suggest trying a fresh install on the same server (alongside the existing install) and seeing if it experiences the same issue. If so, then you'll know that re-installing won't solve the problem. |
|
Will try both options, thank you! |
|
I can confirm that situation has stabilized after applying above patch by @diosmosis. |
|
fyi @mattab the original issue is here: #13327 (comment) and is a request to change "remember me" behavior. |
|
@diosmosis could you please confirm the current behavior of Remember me feature:
|
|
I have some new information: yesterday I used 'clear storage' option in Chrome > DevTools, and ever since that operation Matomo kept forgetting me on every browser restart. I tried it multiple times, it was repeatable, regardless of 'remember me' checkbox being checked every single time. Then, today, finally out of ideas, I logged-in, then clicked on 'Exit' icon in Matomo, logged-in again, and that's how I finally got it to remember me. During entire episode, I wasn't logged out from other devices, that part was OK. Nothing was changed in the environment, either. |
|
@mattab If a user logs in w/ remember me, the expiration time does not change on each authenticated HTTP request. If a logged in user goes to the login screen manually (by typing in @dev-101 If you clear the cookies, the session won't persist since the session cookie will disappear. |
|
I think it would be better if we automatically postpone by two weeks each time a remember-me user browses the UI, what do you think? @tsteur @diosmosis |
👍 by two weeks, or four weeks or so. It shouldn't log me out after two weeks even when I used the product yesterday. |
|
Will give it a shot, not sure how easy it will be to do. |
Yes, but I did that only once, and every next browser (re)start with fresh login should keep the new session? Today I repeated the experiment, and it behaves exactly the same. Why clearing site data breaks 'remember me' functionality until I "exit" from Matomo and sign-in again? It doesn't make any sense to me :( Point is, 'remember me' checkbox doesn't work in that case. |
|
@dev-101 I'm not exactly sure I understand what you mean, but it sounds odd. Given this is something that affects one if they use the dev tools, I don't think it will be something that will be worked on immediately. Can you create a new issue for it? |
If you do not find this at least intriguing, then I am OK with it, too :) Regards |
|
It's certainly intriguing, but I might not have time to look into it before 3.6.1 is released. |
|
No problem, that's ok with me, I'm in no hurry, as after applying your patch above things did get into normal. I just wish to help you get to the bottom of this, and provide you with hopefully useful findings during that process. |
|
No worries @dev-101, thanks for going through the trouble of testing! |
|
I would like to bring the comment up again from @chris-morgan
I also wish the default to be higher than 2 weeks. When I check the checkbox on other applications, like google, facebook and so on, I will stay logged in for 1 year. I would suggest to also raise the default timeout to 1 year. If you don't want to stay logged in for a longer time then don't check the checkbox and you will be logged in until the browser gets closed. For me this issue is the most annoying thing when I need to login over and over again even if i really want to stay logged in. PS: Yes, I don't check the stats every 2 weeks to continue the session life time... |
|
Sorry for resurrecting, but I am experiencing pretty much the same behaviour with my instance. |
|
Hi @andrelung |
|
I did and I took all the mentioned steps without success. At some point I just gave up, because it just got accepted behaviour for me and my colleagues. However I think I've found the culprit. Only instances with LDAP configured behave this way. Anyone else with this issue, who has LDAP activated? |
|
I have an instance with LDAP enabled and for me the "stay logged in" doesn't work. |
|
Please see matomo-org/plugin-LoginLdap#206 |
I expect “Remember Me” to keep my session alive at the very least until I have not used it for thirty days.
Instead, it looks like it produces a cookie which dies after two weeks? That’s super annoying.
Please let me stay logged in either indefinitely or at least until I haven’t used it for a month.
The text was updated successfully, but these errors were encountered: